Audit: use new LSM hooks instead of SELinux exports

Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)

and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)

Call security_release_secctx only if security_secid_to_secctx
succeeded.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>

diff --git a/kernel/audit.c b/kernel/audit.c
index b782b04..784a48e 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -265,13 +265,13 @@ static int audit_log_config_change(char *function_name, int new, int old,
                char *ctx = NULL;
                u32 len;
 
-               rc = selinux_sid_to_string(sid, &ctx, &len);
+               rc = security_secid_to_secctx(sid, &ctx, &len);
                if (rc) {
                        audit_log_format(ab, " sid=%u", sid);
                        allow_changes = 0; /* Something weird, deny request */
                } else {
                        audit_log_format(ab, " subj=%s", ctx);
-                       kfree(ctx);
+                       security_release_secctx(ctx, len);
                }
        }
        audit_log_format(ab, " res=%d", allow_changes);
@@ -550,12 +550,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
        audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
                         pid, uid, auid);
        if (sid) {
-               rc = selinux_sid_to_string(sid, &ctx, &len);
+               rc = security_secid_to_secctx(sid, &ctx, &len);
                if (rc)
                        audit_log_format(*ab, " ssid=%u", sid);
-               else
+               else {
                        audit_log_format(*ab, " subj=%s", ctx);
-               kfree(ctx);
+                       security_release_secctx(ctx, len);
+               }
        }
 
        return rc;
@@ -758,18 +759,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                break;
        }
        case AUDIT_SIGNAL_INFO:
-               err = selinux_sid_to_string(audit_sig_sid, &ctx, &len);
+               err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
                if (err)
                        return err;
                sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
                if (!sig_data) {
-                       kfree(ctx);
+                       security_release_secctx(ctx, len);
                        return -ENOMEM;
                }
                sig_data->uid = audit_sig_uid;
                sig_data->pid = audit_sig_pid;
                memcpy(sig_data->ctx, ctx, len);
-               kfree(ctx);
+               security_release_secctx(ctx, len);
                audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
                                0, 0, sig_data, sizeof(*sig_data) + len);
                kfree(sig_data);

diff --cc kernel/auditfilter.c
Simple merge

diff --cc kernel/auditsc.c
Simple merge